It is not uncommon for company senior executives to shake their heads at the mention of the word ‘fraud’. “No, we don’t have that problem.” “Our people wouldn’t do that.” “Surely the procedures will take care of that” are among the typical responses.
While larger organisations may be more vulnerable to fraud, it is safe to say that no organisation, however small, can be completely immune to the problem. Some fraudulent activities may be associated with tax evasion, illicit drugs, human trafficking, money laundering and other serious crimes. Apart from significant financial losses, organisations may also suffer reputation damages which may lead to loss of client businesses due to their lack of trust. This may be particularly relevant to financial institutions.
This article aims to highlight some alerting facts and observations regarding fraud and to serve as a reminder of the major areas and factors that organisations need to be mindful of to effectively mitigate fraud risks. Measures that may assist with fraud prevention and detection are also provided.
1. Alerting Facts regarding Fraud
KMPG’s most recent fraud, bribery and corruption survey involved 281 respondent organisations from public and private sectors in Australia and New Zealand (KPMG, 2013). Here are the key findings:
- 43% of respondents experienced fraud with the occurrences of 47% of major fraud (the one largest fraud reported by respondents) as a result of insufficient internal controls;
- The larger the size of an organisation, the more losses to fraudulent activities were experienced;
- Financial services organisations suffered much more losses compared to those in non-financial services industries;
- 75% of major fraud was committed by insiders as compared to 25% by outsiders;
- In terms of overall fraud, which takes into consideration of all fraud reported by respondents, the vast majority of incidences were associated with outsiders (84% for financial services organisations and 96% for non-financial services organisations);
- 71% of perpetrators acted alone which means nearly 30% of fraud incidences involved collusion;
- The vast majority of perpetrators (91%) did not have any known prior involvement in fraudulent activities;
- Internal controls (41.3%) and tips by employees (22.2%) were the biggest contributors to fraud detection;
- 43% of respondent organisations that suffered losses from fraudulent activities have never recovered any funds or other assets;
- Financial losses were much bigger when the perpetrators were in managerial positions.
2. Fraud Prevention and Detection
Fraud may be committed by internal staff, and outsiders such as customers, suppliers or business partners. Collusion among internal and external parties may also be present. Robust internal controls may act as an excellent deterrence to potential fraudsters. Ideally, these anti-fraud measures need to be incorporated into the day-to-day operations of the business to minimise interruptions to the business and to encourage compliance.
Fraud is such a big area and it would be impossible to provide detailed recommendations in one short article. It is hoped that the suggestions below may help point out some of the general areas where further resources may be directed to identify and mitigate fraud risks within an organisation.
- Commitment of the board and senior management: A strong message of zero tolerance for fraud from the top is a must. The message needs to be communicated to all staff clearly and on a regular bases. Staff meetings and internal newsletters may serve as good channels;
- Clear definition of roles and responsibilities: Roles and responsibilities need to be clearly defined, from senior executives to heads of departments and individual members of business units, to facilitate accountability. They can then be measured and evaluated through the performance review process;
- Fraud risk assessment: Regular and separate fraud risk assessments may be appropriate for larger organisations to efficiently utilise the available resources to mitigate the risks. For smaller organisations, it may be justified to combine the fraud risk assessment with other routine risk assessments. Representatives from all business units should ideally be involved to facilitate understanding of business operation processes and to better assess fraud risks. This may also help ensure that any anti-fraud measures developed as a result of the risk assessment be incorporated into the day-to-day operations of the business units where possible to minimise interruptions and to encourage compliance;
- Staff fraud awareness training: All staff should ideally receive general fraud awareness training regularly that is relevant to the nature of an organisation’s business. Personnel with high fraud risk roles, such as client onboarding, accounting and finance staff, may require role-specific training;
- Sound whistleblowing policy: Establish an appropriate whistleblowing policy, and ensure it is well communicated to staff so that they are aware of the appropriate reporting channels, and have confidence in the protections available to bona fide whistle-blowers. Fraud awareness training and staff newsletters may act as channels for such communication;
- Due diligence: Conduct sufficient due diligence on not only customers, but also suppliers and business partners, and internal staff is crucial to fraud control. Know Your Customer (KYC), both at the inception of a customer relationship and on an ongoing basis, is a highly regulated area for financial services organisations. However, more attention on due diligence on suppliers and business partners and internal staff may be beneficial. Information and documentation received need to be independently verified. Efforts need to be made to search for indications of past deceptive conduct. National police checks, bankruptcy checks, media search and social media networks may be excellent tools to this end.
- Segregation of duties: Segregation of duties is simple and effective fraud prevention and detection measure. The basic rule is that no positions or roles should have the authorisation to take funds out of an organisation in any form (in cash or through bank transfers) by themselves. For example, the processing of a transaction and its verification and approval should be performed by different individuals;
- Mandatory leave and job rotations: Mandatory leave and/or job rotations, where permitted by law, may be appropriate for roles such as account managers, relationship managers, accounting and finance personnel to allow their work to be examined. This may help reduce collision between internal staff and external parties;
- Auditors: Auditing of compliance with anti-fraud policies and procedures should ideally be incorporated into the routine and random audits conducted by internal audit teams and the annual audits conducted by external auditors. This allows an organisation to gain insights into the level of compliance and effectiveness of the procedures to make improvements;
- Robust transactions monitoring system: Ensure the transactions monitoring system is adequate given the available resources of an organisation. While it may be sufficient for small organisations to rely on their staff to manually check transactions, multi-national banks may spend billions of dollars on data mining and analytics packages to conduct their transactions monitoring. It is important to balance the costs against the risks faced by the business, size of the organisation, transaction volumes and the available resources;
- Security: Security has two aspects: physical security on the premises and cybersecurity. The importance of physical security is obvious. Cybersecurity is a complex area that has been receiving increasingly more attention from both the public and private sectors. Some of the questions that organisations may wish to consider include: Is access to sensitive information, such as commercial secrets and client details, granted only when necessary? Can sensitive information be remotely accessed or downloaded? If so what are the risks of this information being sold to a competitor? Does the system track user activities, not only log in times, but also the IP address and device ID used for the access, what information has been accessed, and what files have downloaded? Does the system send timely alerts to the relevant personnel in case of unauthorised access?
- Sound record-keeping system: An adequate and efficient record-keeping system helps enforce accountability. Well-documented records may also serve as evidence during fraud investigations and therefore act as a detection and deterrence tool;
This article has highlighted some alerting facts and figures regarding fraud against businesses in a recent survey, in the hope to remind organisations that fraud risks are real and potential losses can be disastrous. Several factors and potential controls that may be appropriate have also been outlined. Thanks for taking the time to read this article.
Note: Xiaoshu is not a legal practitioner. This article has been provided for general purposes only and cannot be construed as legal advice.
KPMG. (2013). A survey of fraud, bribery and corruption in Australia and New Zealand 2012. Retrieved from http://www.kpmg.com/AU/en/IssuesAndInsights/ArticlesPublications/Fraud-Survey/Documents/fraud-bribery-corruption-survey-2012v2.pdf